We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

When must a company send a data breach notification?

In our last post, we discussed how to minimize your risk of a data breach. But what do you do if and a data breach occurs? How will you know when to send a notification? Today, we’ll discuss just that.

Regrettably, most companies have or will suffer a security breach affecting their customer data. Virtually all states have laws requiring notification to customers affected by such a data breach. Accordingly, one of the very first questions a victim of such a breach confronts is whether notice must be provided under these laws. Unfortunately, vague statutory language and a dearth of regulatory and judicial guidance make this assessment difficult.

Adding to this complexity is the fact that companies must make such assessments in a matter of days, not weeks or months. Accordingly, it is essential for organizations to be prepared with an appropriate protocol to make such assessments accurately and expeditiously.

Dozens of different laws may govern your company’s use and retention of customer personal information. While certain laws have been tightened to create a presumption that notice must be sent when any breach occurs, most statutory notice triggers occur after the data owner makes an assessment on the likelihood of customer harm. For example, under new HIPAA regulations, notification is required unless a risk assessment demonstrates a low probability that the protected health information has been compromised.

To determine whether notice must be sent, most federal and state data privacy laws involve a four-step framework:

Whether use or disclosure was permitted under the applicable privacy rule;

Whether personally identifiable information was unsecured or limited;

Whether an exception applies; and

Whether the disclosure presents a significant risk of harm.

This fourth factor raises special challenges and requires more of a subjective assessment than the other three. Little guidance has been given to companies forced to make this assessment. Court decisions arising from data breach class actions are potentially instructive. A recent decision in the Adobe Systems data breach case set forth some factors to consider when assessing risk of future harm to Adobe’s customers flowing from the data breach. Likewise, the Ninth Circuit’s decision in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) may assist companies struggling with this question. While these judicial decisions focus on separate legal issues arising from data breach class action suits, these findings may be helpful when assessing the notice trigger under a data breach protocol.

As states become increasingly vigilant about customer notice, companies should have in place a detailed data breach response plan with a predetermined risk assessment protocol will become vital. Companies do not want to be in a position of scurrying to create a risk framework only after suffering a breach.